Oh Boy! It’s been over 4 months now since I wrote a blog post. Work and my other daily activities like exercise, cooking, cleaning, etc. has been really keeping me busy. With this post my intention is to slowly start blogging back again.
Purpose: Sometime back I had blogged about how to install and configure mediawiki on your Debian System. Today we will learn how to use the LDAP/Active Directory authentication method with your current MediaWiki setup. Please note that we won’t go into details of LDAP/Active Directory.
What is LDAP/Active Directory Authentication?
Normally when you install MediaWiki on your system you have to first create a user account to log into MediaWiki. But what if you want to centralize this process of authentication? Meaning what if there is a system (let’s Windows Server using Active Directory) which already maintains a centralized database/repository of username and password that we can use to authenticate our MediaWiki logins.
We are assuming that there is a Window server machine already running in your LAN/Intranet with Active Directory.
So let’s get started…
Step 1: Get the extension for LDAP Authentication
We will be using the popular LDAP Authentication extension for this purpose. I suggest that you download the extension that corresponds to your MediaWiki version. For example, on my Debian Lenny system, the current MedaiWiki version is 1.12 so I recommend that you install the extension that corresponds to version 1.12. You can browse different version of this extension here.
Step 2: Install/copy the extension files
# tar -xzf LdapAuthentication-MW1.12-r30722.tar.gz -C /var/lib/mediawiki/extensions
Step 3: Install the LDAP plugin for PHP
You will need this package in order for the extension to work properly.
# apt-get install php5-ldap
Step 4: Configure the extension
This is the most important step and this is the step where naturally most of the users will run into problems. Please note that I am not the person who administers the Active Directory neither I am an expert in Active Directory. In fact I barely know much about Active Directory but I just have enough information about my current Active Directory server that should enable me to connect and authenticate using this extension. So if I am able to get this done successfully there is no reason why you won’t be able to. Also the steps that I am showing here is for a very simple non-fancy non-complex setup.
Add the following lines to your /etc/mediawiki/LocalSettings.php preferable towards the end of the file but in general I have found this to work even if you add it in the beginning:
# Enable LDAP Authentication
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "mycompany.net" );
$wgLDAPServerNames = array( "mycompany.net" => "myad1.mycompany.net" );
$wgLDAPSearchStrings = array( "mycompany.net" => "mynet\\USER-NAME" );
$wgLDAPEncryptionType = array( "mycompany.net" => "clear" );
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( "mycompany.net" => "dc=mycompany,dc=net" );
$wgLDAPSearchAttributes = array( "mycompany.net" => "sAMAccountName" );
$wgLDAPRetrievePrefs = array( "mycompany.net" => "true" );
$wgLDAPDebug = 3; //for debugging LDAP
$wgShowExceptionDetails = true; //for debugging MediaWiki
mycompany.net = Active directory name in your company/enterprise
myad1.mycompany.net = Name of the physical server on which your Active Directory is hosted
mynet = Domain name of your company
You should be able to get these values from the IT person who is in-charge of the Active Directory.
Step 5: Login
Now the time has come to see if we configure our extension correctly! Go to your MediaWiki’s log in page:
and should see a “Domain Name” field right below your username and password input box like this:
with the Active Directory name (in this case mycompany.net) that you specified in LocalSettings.php file.
Try entering a username and the corresponding password of a user that is already in the Active Directory and see if you are able to log in successfully. If you are then congratulations!!!!!! Your setup has worked successfully. If not then we need to debug further.
What happens if I don’t install the correct version of the extension?
You are likely to get the following error as soon as you load your MediaWiki page (http://localost/wiki/):
Fatal error: Class 'AuthPlugin' not found in \var\lib\mediawiki\extensions\LdapAuthentication\LdapAuthentication.php on line 65
Where do I get to see the errors in case by extension do not work?
First of all you need to enable the debugging of the LDAP extension by setting the following line in your LocalSettings.php file:
$wgLDAPDebug = 3; //for debugging LDAP
You should be able to see errors on the top left corner of your screen like this:
Do I need to have user in my MediaWiki database first before I authenticate using Active Directory?
No. The way things work is that if the user is not present in your MediaWiki database then an entry for the username that you used to authenticate with the Active Directory will be automatically created in the MediaWiki database. If the username already existed before you logged in for the first time using Active Directory authentication then nothing happens i.e. no new user is created in the database because the user already existed in the database. User preferences like Name, Email, etc. that are being pulled from the Active Directory gets updated/overwritten for the corresponding user in the database if the entry already exits.
I hope this has given you enough material to get started with the LDAP/Active Directory authentication.